Email Repair

How to Install Exchange 2013/2016/2019 Cumulative Updates?

Software updates are critical as they bring new features, fix bugs, and patch vulnerabilities that threat actors may exploit to gain unauthorized access.

Microsoft releases Security Updates (SUs) every month and Cumulative Updates (CUs) for supported Exchange Server versions, such as Exchange 2013, 2016, and 2019, every quarter.

Cumulative Updates contain all the hotfixes and security updates released between the current and last CU releases. In addition, CUs also bring new features and updates that may improve the server's performance and reliability.

Moreover, Microsoft provides security updates for newer builds (CUs) and stops supporting the older Exchange Server builds.  

Thus, updating the Exchange Server to the latest Cumulative Update is critical to continue receiving new security updates and protect the Exchange environment from malicious attacks.

However, you need to prepare your Exchange Server and plan the update as it can take time to finish. Also, if you are running a standalone Exchange Server, the mail flow will stop until you finish applying the Cumulative Updates. Planning is also important to avoid issues or instances of failed installation that can render the server unusable.

This article explains the complete process of downloading and applying the latest Cumulative Updates released by Microsoft for supported Exchange Server versions with step-by-step instructions. You can follow this guide to apply Cumulative Updates to Exchange Server 2013, 2016, and 2019.

Steps to Install Cumulative Update in Exchange 2013, 2016, and 2019

There are two ways to install Cumulative Updates,

  • Through Graphical Users Interface (GUI)
  • Using Command Prompt Unattended Mode

Below we have discussed steps to install the Cumulative Updates on standalone and DAG Exchange Servers using the unattended mode. But before you begin installing the Cumulative Update to Exchange Server, remember the following,

  • After the upgrade, you can't uninstall Cumulative Updates as uninstalling CU will remove the Exchange Server.
  • Customizations made to Exchange Server, such as Web.config files, will be overwritten and require you to re-apply them later after the upgrade. Therefore, save all customized Exchange and IIS settings you have made.
  • Always test the Cumulative update in a test environment before deploying it to the production server.

IMPORTANT NOTE: Back up before you start installing the CU.If the update fails due to any reason, you can use your backup to build a new server and restore mailbox databases. However, if the backup isn't available, you can use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from failed Exchange Server and export them to the new live Exchange Server directly.

Step 1: Download the Cumulative Update

Before downloading the latest CU for your Exchange Server, check the current version using the following Exchange Management Shell cmdlet,

Get-ExchangeServer | fl Name,Edition,AdminDisplayVersion

Then visit Exchange Server build numbers and release dates page to check and download the latest Cumulative Update for your Exchange Server Version. Never download any security or cumulative updates from third-party or unofficial sites as they may contain malware.

download latest exchange cumulative update

Step 2: Prepare for Cumulative Update

On the download page, check the system requirement section to learn the pre-requisites you need to install.

check system requirements known issues

Usually, you need to update the .NET framework to the supported version.

install net framework

After installing the pre-requisites on your server, mount the downloaded Cumulative Update ISO image.

mount download exchnage cu

Step 3: Put Exchange Server in Maintenance Mode

It is recommended to put Exchange Server in maintenance mode before updating or upgrading the Exchange Server. You can use the following PowerShell commands in Exchange Management Shell (EMS) to put your Exchange Server 2013, 2016, or 2019 into maintenance mode.

  • Set HubTransport to draining state,

Set-ServerComponentState -Identity "ServerName" -Component HubTransport -State Draining -Requester Maintenance

  • If you have another Exchange Server in the organization, redirect the queued message to that server

Redirect-Message -Server ServerName -Target "ServerName-02.stellarinfo.com"

  • If the server belongs to the DAG group, run the following command; otherwise, skip to ServerWideOffline

Suspend-ClusterNode "ServerName-01"

  • Then disable database copy auto-activation and move the active copy of the database to another DAG member.
Set-MailboxServer "ServerName-01" -DatabaseCopyActivationDisabledAndMoveNow $true
  • Also, block the DatabaseCopyAutoActivationPolicy,
Set-MailboxServer "ServerName-01" -DatabaseCopyAutoActivationPolicy Blocked
  • Then put the Exchange Server into maintenance mode using the following command,
Set-ServerComponentState "ServerName" -Component ServerWideOffline -State Inactive -Requester Maintenance
  • To verify Exchange Server is in maintenance mode, run the following command,
Get-ServerComponentState "ServerName” | Select Component, State

The components must be in an inactive state.

SCREENSHOT!

Restart the server.

Step 4: Install RSAT-ADDs Feature

Before extending the Active Directory Schema, you must install the RSAT-ADD feature on the domain controller and Exchange Server. For this, open PowerShell as administrator and run the following command,

Install-windows feature RSAT-ADDS

SCREENSHOT!

Restart the server.

Step 5: Prepare Schema, AD, and Domains

To prepare the Schema, Active Directory, and Domains, open Command Prompt as administrator and navigate the mounted CU ISO location using the CD command. For instance,

cd F:

Then run the following commands to prepare the Schema, AD, and all Domains,

\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareSchema
prepare schema
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAD
prepare active directory
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAllDomains or /PrepareDomain
prepare domains

NOTE: Starting from September 2021 CU, you need to use the /IAcceptExchangeLicenseterms_DiagnosticDataOFF or/IAcceptExchangeLicenseterms_DiagnosticData_ON for unattended installs.

Restart the server in between to clear any pending reboots.

Step 6: Install Cumulative Updates via Unattended Setup or GUI

You can install Cumulative Update using the Command Prompt or directly launch the Setup.exe file from the mount location.

upgrade to latest cumulative update gui

To run the installation in unattended mode via Command Prompt, open an elevated command prompt and execute the following command,

cd mount location=""
\Setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

Step 7: Remove Server from Maintenance Mode

Once the installation is finished, restart the server and then check the current version using the following command in EMS,

Get-ExchangeServer | Fl
check exchnage server version after upgrade

Once verified, remove the server from the maintenance mode using the following command in Exchange Management Shell,

Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance
Set-ServerComponentState ServerName –Component HubTransport –State Active –Requester Maintenance

On the DAG member server, you need to perform the following commands to remove maintenance mode,

Resume-ClusterNode –Name ServerName

Set-MailboxServer ServerName –DatabaseCopyAutoActivationPolicy Unrestricted
Set-MailboxServer Servername –DatabaseCopyActivationDisabledAndMoveNow $false
Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance
Set-ServerComponentState ServerName –Component HubTransport –State Active –Requester Maintenance

To verify the DAG member server is out of maintenance mode,

Get-ClusterNode "ServerName"

Step 8: Install Pending Security update (SUs)

Now that you have updated your Exchange Server to the latest Cumulative Updates, check any pending Security Updates. You can run healthChecker.ps1 script on your server to find the vulnerabilities and then apply the SUs to patch them.

healthcheckerscript vulnerabilities

To install Security updates, navigate to the folder where Security updates are downloaded (.msp files) and run the following command in the elevated Command Prompt window,

.\Updatename.msp

Follow the wizard to complete the installation and then reboot.

Conclusion

Microsoft recommends its Exchange customers to install the latest updates—whether Security Updates (SUs) or Cumulative Updates (CUs)—as they arrive to protect the organization from newer threats and malicious attacks. Attacks on unpatched Exchange Server often rise immediately after Microsoft releases the patches or updates, increasing the chances of your organization getting compromised. To prevent the risks, install the updates as soon as possible.

However, if the server is compromised or the database is damaged after a malicious attack, create a new server and restore the mailboxes from the backup. Never use the compromised server, even if you can fix it. If the backup isn't available, use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from your compromised Exchange Server and save them as PSTs. You may also export the extracted mailboxes from corrupt or damaged Exchange database directly to your new Live Exchange Server or Office 365 in a few clicks.


82% of people found this article helpful